Dr. Soumyo Maity and Lokesh Balu from Dell Technologies presented a new control-based approach to threat modeling at SACON 2020 in Bangalore, India. Their approach maps threats identified through traditional techniques like STRIDE directly to security controls. This makes threat modeling more scalable, developer-centric, and integrated with the software development lifecycle. A case study demonstrated how identifying threats based on failed security controls can complement traditional threat modeling. The control-based approach was presented as an effective way to address challenges of complexity, resources, and agility in modern software development.

1. SACON
SACON International 2020
India | Bangalore | February 21 - 22 | Taj Yeshwantpur
A Scalable, Control-based, Developer-centric Threat Modeling for
Secure Software Development
Dr. Soumyo Maity, And Lokesh Balu
Dell Technologies
Principal & Senior Principal Engineer

2. SACON 2020
• Threat Model 101
• The big scalability question
• Quick intro to Security Controls
• A new control-based approach of threat modeling
• Solution to scalability problems
• A Case study
• Future work
Agenda

3. SACON 2020
• Threat Model 101
• The big scalability question
• Quick intro to Security Controls
• A new control-based approach of threat modeling
• Solution to scalability problems
• A Case study
• Future work
Agenda

4. SACON 2020
• The process of determining
• the range of potential security threats,
• the risks associated with them, and
• the appropriate risk responses
… at design time.
(Identify design- and architecture- level security problems)
• Threat modeling = the process
• Threat model = result of the process
Threat Model 101

5. SACON 2020
• Produce software that’s secure by design
• Because attackers think differently
• Creator blindness/new perspective
• Find problems when there’s time to fix them
• Predictably and effectively find security problems early in the
process
Why do Threat Model?
“Bad guys will do it later if the good guys are lazy”

6. SACON 2020
How to do Threat Model
Assets to
protect
Threats to
consider
Objective
s to meet
Requirement
s to
implemen
t
Risks to
evaluate
Controls
to
Implemen
t
Monitor
for Gaps
STRIDE DREAD PASTA
LINDDUN
Attack
Tree

7. SACON 2020
STRIDE
• Illegally accessing and then using another user's authentication informationSpoofing identity
• Malicious modification
• Unauthorized changesTampering with data
• Deny performing an malicious action
• Inability of a system to counter repudiation threatsRepudiation
• Exposure of information to individuals not supposed to accessInformation disclosure
• Deny service to valid users
• Threats to system availability and reliabilityDenial of service
• Unprivileged user gains privileged access to compromise system
• Effectively penetrated and become part of the trusted systemElevation of privilege

8. SACON 2020
PASTA (Process for Attack Simulation and Threat Analysis)
• Identify inherent application risk profile and address other business impactDefine Business Context
• Identify bottlenecks in technology stackDefine Technology Scope
• Focus on understanding the data flows amongst application components and
servicesApplication Decomposition
• Review threat assertions from data within environment and deployment modelThreat Analysis
• Identify the vulnerabilities and weaknesses within the application design and
code
Weakness / Vulnerability
Identification
• Focus on emulating attacks that could exploit identified weaknesses/
vulnerabilitiesAttack Simulation
• Remediate vulnerabilities or weaknesses in code or designResidual Risk Analysis

9. SACON 2020
DREAD
• how bad would an attack be?Damage
• how easy is it to reproduce the attack?Reproducibility
• how much work is it to launch the attack?Exploitability
• how many people will be impacted?Affected users
• how easy is it to discover the threat?Discoverability

10. SACON 2020
LINDDUN (Linkability, identifiability, nonrepudiation, detectability, disclosure of information, unawareness,
noncompliance)
• High Level System DescriptionDefine DFD
• Map LINDDUN with DFDMap Privacy
• Privacy Threat Patterns in form of treeIdentify Threat Scenarios
• Risk assessment techniquesPrioritize Threat
• Map privacy threat to requirementElicit Privacy Threat
• Select Privacy Enhancing TechnologiesMitigation Strategy

11. SACON 2020
Attack Tree
Attack Goal
Attack
Objective 1
Attack
Objective 2
Attack
Objective 3
Attack Method
1
Attack Method
2
Asset Attack 1 Asset Attack 2 Asset Attack 3 Asset Attack 2 Asset Attack 4
AND OR

12. SACON 2020
• One thing common in all conventional Threat Models
• Threat Library based approach
• Threat Library is:
• Too cryptic for the developers
• Threats are not directly mapped with an action / activity
• Usually static
• There are tools:
• But, with limitation
• Costly
• Requires skill to configure as per business need
Threat Library Based Approach

13. SACON 2020
• Threat Model 101
• The big scalability question
• Quick intro to Security Controls
• A new control-based approach of threat modeling
• Solution to scalability problems
• A Case study
• Future work
Agenda

14. SACON 2020
Scalability
• Modeling Threat is no easy job
• Who cares for security expert’s jargon?
• Too conceptual, abstract and prescriptive
• Architecture is becoming more and more complex
• Considering supply chain - a mammoth task
• Security skill resource gap
• Development is becoming more and more agile – DevOps

15. SACON 2020
• Threat Model 101
• The big scalability question
• Quick intro to Security Controls
• A new control-based approach of threat modeling
• Solution to scalability problems
• A Case study
• Future work
Agenda

16. SACON 2020
What is a Security Control?
Reference : ISO 27034
CONTROLS:
Methods, policies, procedures to protect
• assets
• accuracy & reliability of records
• adherence to management standards

17. SACON 2020
Control Catalog
Reference : ISO 27034

18. SACON 2020
OWASP Top 10 Security Controls
• C1: Define Security Requirements
• C2: Leverage Security Frameworks and Libraries
• C3: Secure Database Access
• C4: Encode and Escape Data
• C5: Validate All Inputs
• C6: Implement Digital Identity
• C7: Enforce Access Controls
• C8: Protect Data Everywhere
• C9: Implement Security Logging and Monitoring
• C10: Handle All Errors and Exceptions

19. SACON 2020
• Threat Model 101
• The big scalability question
• Quick intro to Security Controls
• A new control-based approach of threat modeling
• Solution to scalability problems
• A Case study
• Future work
Agenda

20. SACON 2020
The Process Flow
Threats
ControlVerifyVerification
Activities
Threat Intelligence,
PSIRT, CSIRT, CWE,
ATT&CK, CVE
TVC Triad
Control
Catalog,
ANF

21. SACON 2020
The Revised Process Flow
Threats
ControlVerify
Control
Catalog,
ANF
Scans,
Manual
Testing
etc.
TVC Triad
Threat Intelligence,
PSIRT, CSIRT, CWE,
ATT&CK, CVE

22. SACON 2020
The Revised Process Flow with Update
Threats
ControlVerify
Control
Catalog,
ANF
Scans,
Manual
Testing
etc.
TVC Triad
Threat Intelligence,
PSIRT, CSIRT, CWE,
ATT&CK, CVE

23. SACON 2020
What does that mean?
• Let’s talk in developer’s language
– Instead of non-repudiation tell them, “hey, use digital signature”
– Instead of saying tampering or MITM, tell them “Secure data transport via TLS 1.2”
– Etc.
• Threat Library and Control Catalog do not have 1-1 mapping
• Give a finite set of controls. Make it complete, sound and correct
• Failure of a control = Threat

24. SACON 2020
• Threat Model 101
• The big scalability question
• Quick intro to Security Controls
• A new control-based approach of threat modeling
• Solution to scalability problems
• A Case study
• Future work
Agenda

25. SACON 2020
How the Control-based approach helps?
• Less dependency on Security experts
• Can be automated, integrated to pipeline
• Faster
• Standard
• Adaptive and Dynamic
• Complements traditional threat models
– Still you need them for high value products in design phase

26. SACON 2020
• Threat Model 101
• The big scalability question
• Quick intro to Security Controls
• A new control-based approach of threat modeling
• Solution to scalability problems
• A Case study
• Future work
Agenda

27. SACON 2020
Illustrative Example

28. SACON 2020
Microsoft TM Tool Report

29. SACON 2020
Manual Threat Model
• Whiteboard
– With all the stakeholders

30. SACON 2020
Manual Threat Model
• Threat Library
– A list of all possible threats
▪ Attacks on Incomplete Mediation
▪ Attacks on Certificate Validation
▪ Privilege Escalation Attacks
▪ Attacks on Insecure Cryptography
▪ Attacks on Network Communications
▪ Attacks on Secrets
▪ Attacks on Weak Session Management
▪ Attacks on Web Interfaces
▪ Attacks on Web Services
▪ Attacks on Objects
▪ Injection Attacks
▪ Buffer Overflow Attacks
▪ File Upload Attacks
▪ Denial of Service Attacks
▪ Attacks on Installation Packages/Update
▪ Attacks on Security Misconfigurations
▪ Attacks on Audit Logs
▪ Attacks on Embedded Components
▪ Attacks on Datastores

31. SACON 2020
Manual Threat Model
▪ Attacks on Incomplete Mediation
▪ Unrestricted access
▪ Authentication downgrade
▪ Authorization bypass
▪ Tampering through filesystem access
▪ Client bypass
▪ Process spoofing
▪ Weak access controls
▪ Capture/replay attacks
▪ Tampering in transit
• Threat Library
– A list of all possible threats

32. SACON 2020
Manual Report
Unique Threat Identifier Free Form Threat Identifier
Element(s) involved in the threat Base Metrics
(CVSSv3)
Base Metrics CVSSv3 vector
Detailed explanation of “use case” constructed to calculate the CVSSv3 score
Threat Library Identifier, CWE
Technical description of the threat Risk Registry Index
(If a risk registry exists for the
product)
Threat Status: Known/Unknown
Planned resolution
Technical Mitigation
Business Mitigation

33. SACON 2020
Control Based Approach

34. SACON 2020
Control to Threat Map
• Instead of Threat Library Let us identify threats by using Control Cata
• Example, for a threat Cross-Site Scripting
Controls Threat
Web Security Testing (DAST) Cross-site scripting
Static analysis using a tool that is able to discover XSS issues
in the languages utilized
Cross-site scripting
Perform test for reflected cross-site scripting. Cross-site scripting
Perform test for stored cross-site scripting. Cross-site scripting
A standard convention to mitigate these threats is agreed
upon by the development team and is strictly enforced by
coding conventions
Cross-site scripting
Penetration Test Cross-site scripting

35. SACON 2020
The approach is
• Scalable
• Control-based
• Developer centric
• Effective
• Secure

36. SACON 2020
• Threat Model 101
• The big scalability question
• Quick intro to Security Controls
• A new control-based approach of threat modeling
• Solution to scalability problems
• A Case study
• Future work
Agenda

37. SACON 2020
Key Insights
2. Critical success factors for the threat modelling exercise lies in adopting a structured approach
3. Adopt flipped model : Strive for control centric approach
• STRIDE technique may be good in enumerating the threats
however does not aid in developing countermeasures / mitigation
plan
• Attack Tree provides an overview about the attack surface at some
level of abstraction which results in not capturing data essential for
understanding the threat scenario.
• Attack Library may provide information about the attack vectors
and be suitable as checklist model, it may not contribute to the
completeness we expect in the exercise.

38. SACON 2020
Takeaways
• Utilize a combination of each of these techniques to perform the various
activities in the threat modelling process
• Critical success factors for the threat modelling exercise lies in adopting
a structured approach
• Adopt flipped model : Strive for control centric approach
2. Critical success factors for the threat modelling exercise lies in adopting a structured approach
3. Adopt flipped model : Strive for control centric approach

39. SACON 2020
Thank you!